Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

Listing of Claims: 

1 . (Currently Amended) A computer network, comprising: 

a client and a server connected by a network connection, wherein the client has a userid and a 
password associated with the client; 

wherein the client requests access to the server by sending a first set of values to the server, 
wherein the first set of values includes a client-generated random value, a large prime number, a primitive 
root of the large prime number, and the primitive root raised to a power of a large random integer less 
than the large prime number minus one; 

wherein the server responds to the client by generating a one-time challenge token that depends at 
least on a server-generated random value and sending the challenge token to the client, wherein the server 
generates the challenge token by exclusive-oring the server-generated random value with a first hash, and 
wherein the first hash is a hash of the primitive root of the large prime number raised to a power, a digest 
of the client's userid and password, and the client-generated random value; 

wherein the client retrieves the server-generated random value from the challenge token and 
sends the server-generated random value and the userid to the server; 

wherein the server verifies the received server-generated random value from the client is correct 
by comparing the server-generated random value received from the client with the server's stored value of 
the server-generated random number, and if so, the server generates a one-time authentication token and 
sends it to the client, giving it permission to access the server; 

wherein the client verifies the validity of the one-time authentication token received from the 

server; 

wherein if the client verifies that the one-time authentication token from the server is valid, the 
client changes the password by computing a hash of the userid and a new password to form a new digest, 
creating a mask, computing a message authentication code, and by exclusive-oring the mask with the new 
digest to form a result, and sending the result, the userid, and the message authentication code to the 
server; 

wherein the server retrieves the new digest by exclusive-oring the mask with the received result, 
and wherein the server verifies the received message authentication code; and 

wherein if the received message authentication code is verified, the server changes the client 
password by replacing a digest of at least the old password with a digest of at least the new password. 
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2-8. 



(Canceled) 



9. (Currently Amended) A computer program product in a computer readable medium, comprising: 

a client and a server connected by a network connection, wherein the client has a userid and a 
password associated with the client; 

first instructions whereby the client requests access to the server by sending a first set of values to 
the server, wherein the first set of values includes a client-generated random value, a large prime number, 
a primitive root of the large prime number, and the primitive root raised to a power of a large random 
integer less than the large prime number minus one; 

second instructions whereby the server responds to the client by generating a one-time challenge 
token that depends at least on a server-generated random value and sending the challenge token to the 
client, wherein the server generates the challenge token by exclusive-oring the server-generated random 
value with a first hash, and wherein the first hash is a hash of the primitive root of the large prime number 
raised to a power, a digest of the client's userid and password, and the client-generated random value; 

third instructions whereby the client retrieves the server-generated random value from the 
challenge token and sends the server-generated random value and the userid to the server; 

fourth instructions whereby the server verifies the received server-generated random value from 
the client is correct by comparing the server-generated random value received from the client with the 
server's stored value of the server-generated random number, and if so, the server generates a one-time 
authentication token and sends it to the client, giving it permission to access the server; 

fifth instructions whereby the client verifies the validity of the one-time authentication token 
received from the server; 

sixth instructions whereby if the client verifies that the one-time authentication token from the 
server is valid, the client changes the password by computing a hash of the userid and a new password to 
form a new digest, creating a mask, computing a message authentication code, and by exclusive-oring the 
mask with the new digest to form a result, and sending the result, the userid, and the message 
authentication code to the server; 

seventh instructions whereby the server retrieves the new digest by exclusive-oring the mask with 
the received result, and wherein the server verifies the received message authentication code; and 

eighth instructions whereby the server changes the client password by replacing a digest of at 
least the old password with a digest of at least the new password if the received message authentication 
code is verified. 

10-16. (Canceled) 
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17. (Currently Amended) A method of authenticating a client with a server across a network 
connection, comprising the steps of: 

requesting, by the client, access to the server by sending a first set of values to the server, wherein 
the first set of values includes a client-generated random value, a large prime number, a primitive root of 
the large prime number, and the primitive root raised to a power of a large random integer less than the 
large prime number minus one; 

responding, by the server, to the client by generating a one-time challenge token that depends on 
at least a server-generated random value and sending the challenge token to the client, wherein the server 
generates the challenge token by exclusive-oring the server-generated random value with a first hash, and 
wherein the first hash is a hash of the primitive root of the large prime number raised to a power, a digest 
of the client's userid and password, and the client-generated random value; 

retrieving, by the client, the server-generated random value from the challenge token; 

sending, by the client, the server-generated random value and a userid of the client to the server; 

verifying, by the server, the received server-generated random value from the client is correct by 
comparing the server-generated random value received from the client with the server's stored value of 
the server-generated random number; 

if the server-generated random value from the client is verified by the server, generating a one- 
time authentication token by the server; 

sending, by the server, the one-time authentication token to the client to thereby give the client 
permission to access the server; 

verifying, by the client, the validity of the one-time authentication token received from the server; 

if the client verifies that the one-time authentication token from the server is valid, changing, by 
the client, the password by computing a hash of the userid and a new password to form a new digest, 
creating a mask, computing a message authentication code, and by exclusive-oring the mask with the new 
digest to form a result; 

sending, by the client, the result, the userid, and the message authentication code to the server; 
retrieving, by the server, the new digest by exclusive-oring the mask with the received result; 
verifying, by the server, the received message authentication code; and 
if the received message authentication code is verified, changing, by the server, the client 
password by replacing a digest of at least the old password with a digest of at least the new password. 
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